CLI command logging without TACACS+

The Cisco IOS’s AAA architecture contains many handy features, including authorizing and logging every CLI command executed on the router. Unfortunately, the AAA command accounting only supports TACACS+ as the AAA transport protocol, making it unusable in RADIUS environments.

You can use Embedded Event Manager as a workaround. The following configuration commands will log every command executed on the router.

event manager applet CLIaccounting
 event cli pattern ".*" sync no skip no
 action 1.0 syslog priority informational msg "$_cli_msg"
 set 2.0 _exit_status 1

The log messages generated by this EEM applet have the following format:

%HA_EM-6-LOG: CLIaccounting: *command*

As the EEM uses standard IOS logging mechanisms, you can use the show logging command to examine the command execution history or store the messages on a syslog server.

Note: As a side effect, all commands executed on a router will be echoed to the router’s console unless you turn off console logging with the no logging console command or use TCL-based syslog filters (more about them in an upcoming post).

13 comments:

  1. Very useful trick.
    Can you get it to include the username as well? Usually you would like to monitor who made the changes.
  2. I haven't found an easy way to do it yet. The information passed to EEM applet or Tcl policy on CLI pattern match does not include line number or username.

    If you want to log changes to running configuration, you could use configuration logging feature.
  3. If you "accidentally" use

    event cli pattern ".*" skip yes sync no

    how do you remove it without a reload?
  4. @Tassos: There's always the power-on button :) I don't think you can gracefully recover from this situation.
  5. according to documentation, if you use "sync no" the "set 2.0 _exit_status 1" line can be skipped
  6. how to set a pattern word wich log any commands except those begining with "show".
    Thanks for help.
  7. EEM generated syslog messages does not show the correct local time in timestamps. Is there a way to fix this?

    Aug 24 2012 11:19:06.686: %SYS-5-CONFIG_I...
    Aug 24 08:19:09.180: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
    Aug 24 2012 11:19:35.796: %PARSER-5-CFG...
    Aug 24 08:19:35.798: %HA_EM-6-LOG: CLIaccounting...<- EEM generated
  8. I have the same question as above:

    How to make EEM generated message show correct time:

    Sep 12 02:18:39.818: %HA_EM-6-LOG: CLIaccounting: ...
    Sep 12 09:18:40.171: %SYS-5-CONFIG_I: Configured from console by...

    It shows UTC time

    Thank you
  9. What about this way?
    archive
    _log config
    __logging enable
    __notify syslog

    It produces logs like this:
    R1(config)#username NEW privi 15 sec PASS
    R1(config)#
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:username NEW privilege 15 secret *****
    Sep 2 19:10:17 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:!config: USER TABLE MODIFIED
    R1(config)#int fa0/0
    R1(config-if)#
    Sep 2 19:10:32 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:interface FastEthernet0/0
    R1(config-if)#no sh
    R1(config-if)#
    Sep 2 19:10:35 Almaty: %PARSER-5-CFGLOG_LOGGEDCMD: User:Test logged command:no shutdown

    Timezone is processed correctly, only configuration mode commands are shown (including "do .*" commands)
  10. Anyone know how to do this in NX-OS? The syntax is similar but not the same:

    event manager applet CLIaccounting
    event cli match ".*"
    action 1.0 syslog priority informational msg [what can I put here?!]

    NX-OS Version 7.0(7)N1(1) doesnt seem to want to take anything like

    "$_cli_msg", $_cli_msg, $command, $_syslog_msg

    It will only take straight text.
  11. Has anyone tried this in tcl? Seems like it might be a better option and less risk of locking yourself out of the router if you fat finger the sync command.
  12. I have an older 6509 switch that is running 12.2(18)SXF12a. Do you know what version of IOS supports Archive and the rest of the commands? The Archive command is not available on this switch...
  13. how to catch full command with extension like 'show user | include qqq'
Add comment
Sidebar